How agencies should respond to shorter breach reporting statutes
- By Jayne Friedland Holland
- Mar 05, 2018
Legislators increasingly criticize companies for the time it takes them to announce cybersecurity attacks that affect millions of consumers. Historically, most states have required that impacted consumers be performed “without unreasonable delay.” But recent high-profile breaches, like those affecting Equifax, Verizon and Sonic, have prompted many states to mandate faster reporting timelines and to enforce the deadlines with heavy civil fines for entities who do not comply.
As of Jan. 1, 2018, Maryland joined at least five other states that have established 45 days from the time of discovery as the deadline for publicly disclosing a breach. Some states also require the affected entity to provide a year of free identity theft prevention or mitigation services to every individual affected by the breach. Just two states, Alabama and South Dakota, currently do not have a breach notification law in place.
The federal picture
State legislators are not the only ones paying attention to escalating theft of private online information. For several years, the U.S. Congress has discussed overriding the patchwork of state requirements by establishing a national notification standard. Numerous bills have failed to advance, but Congress is likely to continue proposing nationwide notification measures until one passes.
One such iteration announced Dec. 1, 2017, dubbed the Data Security and Breach Notification Act, gave entities that discover a breach 30 days to issue a notification. On the heels of the Nov. 21 announcement that Uber waited a year before revealing a cyber invasion that exposed 57 million drivers’ and riders’ personal information, the proposed bill would make it a crime -- punishable by up to five years in prison -- to purposely conceal a breach.
Breach notification bills have stalled at the national level in part because of uncertainty about whether a federal mandate would supersede state laws. States with stricter regulations than those in a federal statute would be reluctant to go back to a less-rigorous reporting deadline. Recent moves to harden reporting statutes may represent states’ attempts to preempt a national law by demonstrating they already are doing what needs to be done to protect citizens.
The problem with reporting prematurely
Elected officials, who have a responsibility for consumer protection, understandably want affected individuals to learn quickly about a breach so they can take protective measures. But premature reporting carries risks for companies and government agencies that have been hacked.
Investigating a security breach requires a forensic process to find out how the attack happened, identify its severity, contain the threat and determine whether -- and if so, what -- confidential information has been compromised. A thorough investigation is crucial, and it may take weeks or months.
While government agencies must adhere to applicable reporting laws, it is advisable not to speculate or offer definitive statements before all the facts are known. Releasing information prematurely can damage an agency’s credibility and erode citizens’ trust if the information communicated later turns out to be erroneous or inaccurate.
Striking a balance
As the increasing number of breaches collide with tighter reporting mandates, agencies must strike a balance between protecting citizens and taking the time required to conduct a meticulous forensic investigation. Before a breach occurs:
1. Understand the reporting requirements. Many states’ breach-related laws have changed over the past few years. Agencies that do business with citizens or businesses outside their home state must report a breach according to the dictates of the other states, as well.
2. Review agency-stored data. Discontinue storing any data that is not necessary for conducting business. Make sure the IT team knows where all the data is stored so they can quickly determine, if a breach occurs, which data may have been compromised.
3. Develop a plan to announce the breach. Establish and test an incident response plan that permits officials to disseminate information by the reporting deadline. The plan should identify a certified forensic service firm that can be called in immediately to conduct a comprehensive investigation. The plan also should outline a structure for managing the public announcement.
Adhering to reporting requirements may mean agencies that experience a breach, must go public before they have fully determined the extent of the incident. In that case:
- Tie initial assertions to the status of the forensic investigation.
- Be upfront about progress with the fact-finding process.
- Communicate only information verified as accurate.
- Caution that reports contain information obtained thus far.
- Acknowledge the public’s desire for as much information as possible.
- Assure authorities and the public further information will be provided as soon as it can be verified.
Jayne Friedland Holland is chief security officer at NIC Inc.